Cybersecurity breach may leave DOD networks exposed

WASHINGTON — Some Pentagon computer networks might have been laid open to intruders as a result of a recent electronic break-in at one of the nation’s most prominent cybersecurity firms.

Earlier this month, RSA announced that an unknown attacker had launched an “extremely sophisticated” intrusion that snared information about its widely distributed SecurID token. It’s a device that generates random numbers designed to confirm identities of users logging into secured networks — so-called “two-factor authentication,” similar to a military Common Access Card.

Many government agencies, including the Department of Defense, rely on SecurID or other RSA security services. So do businesses around the world, including some defense-industry firms.

The Defense Department won’t say may what be at risk, but said investigators are working with the Department of Homeland Security and FBI to investigate, according to a Pentagon spokeswoman.

“While the Department does not rely heavily on [RSA’s] product solutions, we are determining the impact within the Department,” Pentagon spokeswoman Lt. Col. April Cunningham said in a prepared statement.

The government’s former top cybersecurity official said such attacks can have a broad-ranging effects.

“It’s a flanking attack — not a direct attack to steal information — but an attack to steal the keys that unlock a lot of people’s information,” said Joel Brenner, national counterintelligence executive from 2006 to 2009. “I don’t think the public understands yet how grave this attack is. It ranks up there with the worst we’ve seen.”

Sources close to the investigation said the attack occurred in March when an RSA employee opened a malicious email attachment that allowed an intruder entry into the system.

RSA executive chairman Art Coviello said the stolen information on its own won’t unlock networks.

“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack,” he said in a statement on RSA’s website.

But experts said hackers with the RSA information plus additional information from RSA clients might be able to break into networks. The relative ease of stealing information such as user names and passwords led to the rise of two-factor authentication products like SecurID in the first place.

RSA did not say if it had released software patches or other solutions, but a spokeswoman said in an email the company is “very actively communicating with customers and will share more publicly when we can.”

SecurID users should continue using the product, although those in charge of information security need to be vigilant, said cybersecurity expert Jerry Dixon, former director of national cybersecurity for DHS.

“By the same token, you can’t just drop all Microsoft products because there’s a security hole,” said Dixon, now director of analysis for a nonprofit cyber security firm Team Cymru.

Luckily for the Pentagon, Dixon said, “I’m absolutely positive U.S. Cyber Command is on top of this and looking for any problems that may come from it.”

A spokesman for Cyber Command, established by the Pentagon in 2009 in the wake of other high-profile attacks, would not comment on the command’s involvement.